Assigning User Roles

A client is assigned a user role by one of several methods. A role assigned by one method may take precedence over one assigned by a different method. The methods of assigning user roles are, from lowest to highest precedence:

1. The initial user role or VLAN for unauthenticated clients is configured in the AAA profile for a virtual AP (see Access Points (APs)).
2. The user role can be derived from user attributes upon the client’s association with an AP (this is known as a user-derived role). You can configure rules that assign a user role to clients that match a certain set of criteria. For example, you can configure a rule to assign the role VoIP-Phone to any client that has a MAC address that starts with bytes xx:yy:zz.User-derivation rules are executed before client authentication.
3. The user role can be the default user role configured for an authentication method, such as 802.1x or VPN. For each authentication method, you can configure a default role for clients who are successfully authenticated using that method.
4. The user role can be derived from attributes returned by the authentication server and certain client attributes (this is known as a server-derived role). If the client is authenticated via an authentication server, the user role for the client can be based on one or more attributes returned by the server during authentication, or on client attributes such as SSID (even if the attribute is not returned by the server). Server-derivation rules are executed after client authentication.
5. The user role can be derived from Aruba Vendor-Specific Attributes (VSA) for RADIUS server authentication. A role derived from an Aruba VSA takes precedence over any other user roles.

The following sections describe the methods of assigning user roles.

Assigning User Roles in AAA Profiles

An AAA profile defines the user role for unauthenticated clients (initial role) as well as the default user role for MAC and 802.1x authentication. To configure user roles in the AAA profile:

In the WebUI

1. Navigate to the Configuration > Security > Authentication > AAA Profiles page.
2. Select the default profile or a user-defined AAA profile.
3. Click the Initial Role drop-down list, and select the desired user role for unauthenticated users.
4. Click the 802.1x Authentication Default Role drop-down list and select the desired user role for users who have completed 802.1x authentication.
5. Click the MAC Authentication Default Role drop-down list and select the desired user role for clients who have completed MAC authentication.
6. Click Apply.

In the CLI

(host)(config) #aaa profile <profile>

initial-role <role>

d>ot1x-default-role <role>

mac-default-role <role>

For additional information on creating AAA profiles, see AAA Profile Parameters.

Working with User-Derived VLANs

Attributes derived from the client’s association with an AP can be used to assign the client to a specific role or VLAN, as user-derivation rules are executed before the client is authenticated.

You configure the user role or VLAN to be assigned to the client by specifying condition rules; when a condition is met, the specified user role or VLAN is assigned to the client. You can specify more than one condition rule; the order of rules is important as the first matching condition is applied. You can optionally add a description of the user rule.

Table 1 describes the conditions for which you can specify a user role or VLAN.

 

Table 1: Conditions for a User-Derived Roleor VLAN

Rule Type

Condition

Value

BSSID: Assign client to a role or VLAN based upon the BSSID of AP to which client is associating.

One of the following:

contains
ends with
equals
does not equal
starts with

MAC address (xx:xx:xx:xx:xx:xx)

DHCP-Option: Assign client to a role or VLAN based upon the DHCP signature ID.

One of the following:

equals
starts with

DHCP signature ID.

NOTE: This string is not case sensitive.

DHCP-Option-77: Assign client to a role or VLAN based upon the user class identifier returned by DHCP server.

equals

string

Encryption: Assign client to a role or VLAN based upon the encryption type used by the client.

One of the following:

equals
does not equal
Open (no encryption)
WPA/WPA2 AES
WPA-TKIP (static or dynamic)
Dynamic WEP
WPA/WPA2 AES PSK
Static WEP
xSec

ESSID: Assign client to a role or VLAN based upon the ESSID to which the client is associated

One of the following:

contains
ends with
equals
does not equal
starts with
value of (does not take string; attribute value is used as role)

string

Location: Assign client to a role or VLAN based upon the ESSID to which the client is associated

 

One of the following:

equals
does not equal

string

MAC address of the client

One of the following:

contains
ends with
equals
does not equal
starts with

MAC address (xx:xx:xx:xx:xx:xx)

Understanding Device Identification

The device identification feature allows you to assign a user role or VLAN to a specific device type by identifying a DHCP option and signature for that device. If you create a user rule with the DHCP-Option rule type, the first two characters in the Value field must represent the hexadecimal value of the DHCP option that this rule should match, while the rest of the characters in the Value field indicate the DHCP signature the rule should match. To create a rule that matches DHCP option 12 (host name), the first two characters of the in the Value field must be the hexadecimal value of 12, which is 0C. To create a rule that matches DHCP option 55, the first two characters in the Value field must be the hexadecimal value of 55, which is 37.

The following table describes some of the DHCP options that are useful for assigning a user role or VLAN.

DHCP Option values

DHCP Option

Description

Hexadecimal Equivalent

12

Host name

0C

55

Parameter Request List

37

60

Vendor Class Identifier

3C

81

Client FQDN

51

The device identification features in ArubaOS can also automatically identify different client device types and operating systems by parsing the User-Agent strings in the client’s HTTP packets. To enable this feature, select the Device Type Classification option in the AP’s AAA profile. For details, see Device Type Classification.

Configuring a User-derived VLAN in the WebUI

1. Navigate to the Configuration > Security > Authentication > User Rules page.
2. Click Add to add a new set of derivation rules. Enter a name for the set of rules, and click Add. The name appears in the User Rules Summary list.
3. In the User Rules Summary list, select the name of the rule set to configure rules.
4. Click Add to add a rule. For Set Type, select the VLAN name or ID from the VLAN the drop-down menu. (You can select VLAN to create d>erivation rules for setting the VLAN assigned to a client.)
5. Configure the condition for the rule by setting the Rule Type, Condition, Value parameters and optional description of the rule. See Table 1 for descriptions of these parameters.
6. Select the role assigned to the client when this condition is met.
7. Click Add.
8. You can configure additional rules for this rule set. When you have added rules to the set, use the up or down arrows in the Actions column to modify the order of the rules. (The first matching rule is applied.)
9. Click Apply.
10. (Optional) If the rule uses the DHCP-Option condition, best practices is to enable the Enforce DHCP parameter in the AP group’s AAA profile, which requires users to complete a DHCP exchange to obtain an IP address. For details on configuring this parameter in an AAA profile, see Configuring Authentication.

Configuring a User-derived Role or VLAN in the CLI

(host)(config) #aaa derivation-rules user <name>

set role|vlan

condition bssid|dhcp-option|dhcp-option-77|encryption-type|essid|location|macaddr

contains|ends-with|equals|not-equals|starts-with|value-of <string>

set-value <role>

position <number>

See Table 1 for descriptions of these parameters.

User-Derived Role Example

The example rule shown in Figure 1 below sets a user role for clients whose host name (DHCP option 12) has a value of 6C6170746F70, which is the hexadecimal equivalent of the ASCII string laptop. The first two digits in the Value field are the hexadecimal value of 12 (which is 0C), followed by the specific signature to be matched.

 

There are many online tools available for converting ASCII text to a hexadecimal string.

Figure 1  DHCP Option Rule

Click to view a larger size.

 

To identify DHCP strings used by an individual device, access the command-line interface in config mode and issue the following command to include DHCP option values for DHCP-DISCOVER and DHCP-REQUEST frames in the controller’s log files:

logging level debugging network process dhcpd

Now, connect the device you want to identify to the network, and issue the CLI command show log network. The sample below is an example of the output that may be generated by this command.

Click to view a larger size.

Be aware that each device type may not have a unique DHCP fingerprint signature. For example, devices from different manufacturers may use vendor class identifiers that begin with similar strings. If you create a DHCP-Option rule that uses the starts-with condition instead of the equals condition, the rule may assign a role or VLAN to more than one device type.

RADIUS Override of User-Derived Roles

This feature introduces a new RADIUS vendor specific attribute (VSA) named “Aruba-No-DHCP-Fingerprint,” value 14. This attribute signals the RADIUS Client (controller) to ignore the DHCP Fingerprint user role and VLAN change post L2 authentication. This feature applies to both CAP and RAP in tunnel mode and for the L2 authenticated role only.

Configuring a Default Role for Authentication Method

For each authentication method, you can configure a default role for clients who are successfully authenticated using that method. To configure a default role for an authentication method:

In the WebUI

1. Navigate to the Configuration > Security > Authentication page.
2. To configure the default user role for MAC or 802.1x authentication, select the AAA Profiles tab. Select the AAA profile. Enter the user role for MAC Authentication Default Role or 802.1x Authentication Default Role.
3. To configure the default user role for other authentication methods, select the L2 Authentication or L3 Authentication tab. Select the authentication type (Stateful 802.1x or stateful NTLM for L2 Authentication, Captive Portal or VPN for L3 Authentication), and then select the profile. Enter the user role for Default Role.
4. Click Apply.

For additional information on configuring captive portal authentication, see Captive Portal Authentication.

In the CLI

To configure the default user role for MAC or 802.1x authentication:

(host)(config) #aaa profile <profile>

mac-default-role <role>

dot1x-default-role <role>

To configure the default user role for other authentication methods:

(host)(config) #aaa authentication captive-portal <profile>

d>efault-role <role>

(host)(config) #aaa authentication stateful-dot1x

d>efault-role <role>

(host)(config) #aaa authentication stateful-ntlm

d>efault-role <role>

(host)(config) #aaa authentication vpn

d>efault-role <role>

Configuring a Server-Derived Role

If the client is authenticated through an authentication server, the user role for the client can be based on one or more attributes returned by the server during authentication. You configure the user role to be derived by specifying condition rules; when a condition is met, the specified user role is assigned to the client. You can specify more than one condition rule; the order of rules is important as the first matching condition is applied. You can also define server rules based on client attributes such as ESSID, BSSID, or MAC address, even though these attributes are not returned by the server.

For information about configuring a server-derived role, see Configuring Server-Derivation Rules.

Configuring a VSA-Derived Role

Many Network Address Server (NAS) vendors, including Aruba, use VSAs to provide features not supported in standard RADIUS attributes. For Aruba systems, VSAs can be employed to provide the user role and VLAN for RADIUS-authenticated clients, however the VSAs must be present on your RADIUS server. This involves defining the vendor (Aruba) and/or the vendor-specific code (14823), vendor-assigned attribute number, attribute format (such as string or integer), and attribute value in the RADIUS dictionary file. VSAs supported on controllers conform to the format recommended in RFC 2865, “Remote Authentication Dial In User Service (RADIUS)”.

For more information on Aruba VSAs, see RADIUS Server VSAs. Dictionary files that contain Aruba VSAs are available on the Aruba support website for various RADIUS servers. Log into the Aruba support website to download a dictionary file from the Tools folder.